tetragon/windows: Support Windows create and exit process - sensor changes #3578
Conversation
ExceptionalHandler
added
the
release-note/major
ExceptionalHandler
force-pushed
the
port/windows/sensor
branch
from
108f33f to
581b292
Compare
|
OK fix up the linter. Are there any specfic changes on _linux and multi os loader side that need extra review or are we mostly moving code around? Just looking for a hint on how to review here. Can you add a bit more description to the PR title to let us know if (a) this is just code refactor to get _windows and shared or if we have logic changes on _linux side. Most important is not to introduce regressions here. |
|
Code is moved around and logical changes are done to assist compilation with code re-use. |
ExceptionalHandler
force-pushed
the
port/windows/sensor
branch
from
581b292 to
2b3b9e5
Compare
| return windows.GUID{Data1: data1, Data2: data2, Data3: data3, Data4: data4} | ||
| } | ||
|
|
||
| func WinAttachStub(_ *ebpf.Collection, _ *ebpf.CollectionSpec, |
There was a problem hiding this comment.
could be local, also maybe more decriptive name like windowsAttachNotSupp ?
There was a problem hiding this comment.
Adding Not Supported to a function name seems little off. I think the word 'stub' should communicate the meaning.
pkg/sensors/program/loader.go
Outdated
| } | ||
| } | ||
|
|
||
| func LoadTracepointProgram(bpfDir string, load *Program, maps []*Map, verbose int) error { |
There was a problem hiding this comment.
I think this should not be in generic code, let's have both linux and windows version
and windows version would look like:
func LoadTracepointProgram(bpfDir string, load *Program, maps []*Map, verbose int) error {
return windowsAttachNotSupp
}
I think it's more straight than overloading attach functions.. also it's conveying the message what attachments are supported on each os
ditto for all the other linux specific function Load*Program
There was a problem hiding this comment.
I have made this change.
ExceptionalHandler
force-pushed
the
port/windows/sensor
branch
from
2b3b9e5 to
b32be77
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| return winAttachStub | ||
| } | ||
|
|
||
| func TracepointAttach(load *Program, bpfDir string) AttachFunc { |
There was a problem hiding this comment.
could we get away with removing this one and others, like suggested in here 16b67c7
I think we don't need those attach functions in windows code,
but I can't check and it's possible I'm missing something
it might be helpful to have target that would build windows go code on linux,
just to check if we broken something with our change
There was a problem hiding this comment.
We need these as stub functions for compilation. Windows code will not compile without these stub functions
There was a problem hiding this comment.
Actually I can remove some but not all stub functions. Let me change..
There was a problem hiding this comment.
I have removed some more unused functions
ExceptionalHandler
force-pushed
the
port/windows/sensor
branch
from
b32be77 to
e9bfe12
Compare
…anges This PR lists sensor side changes to support CreateProcess and ExitProcess events. The program loader needs to load the entire collection of native Windows ebps program image using cilium/ebpf library. The specs for a native Windows bpf program is not available as it is not in ELF format This changes the order in which maps are loaded - collection is loaded first which loads maps and programs automatically. Signed-off-by: Anadi Anadi<[email protected]>
ExceptionalHandler
force-pushed
the
port/windows/sensor
branch
from
e9bfe12 to
b00d497
Compare
Description
This PR lists sensor side changes to support CreateProcess and ExitProcess events.
The program loader needs to load the entire collection of native Windows ebps program image using cilium/ebpf library.
The specs for a native Windows bpf program is not available as it is not in ELF format
This changes the order in which maps are loaded - collection is loaded first which loads maps and programs automatically.
Changelog